Hacker Tries to Poison Florida Water Supply – What Went Wrong?

CJ Hurd
4 min read
February 18, 2021 at 1:00 PM

It seems like we are hearing about a new cyber-attack at least weekly as of late. It is becoming exhausting and has created such an unsettled feeling in almost any vertical that uses technology. One news headline that caught my attention recently was an attempt in Florida to poison the local water supply. I assumed it was a physical act of sabotage, extremism, or something similar that occurred. Turns out it was carried out through a cyber hack that allowed the hacker to access a water treatment plant’s computer system.

On February 5th, a cyber attacker was able to exploit weaknesses in the Bruce T. Haddock Water Treatment Plant’s computer network to remotely access the system and manage the treatment of the water, raising the levels of sodium hydroxide in the water from about 100 parts per million to over 11,000. Fortunately for the city of Oldsmar, Florida, the plant manager was paying attention and noticed the hack as it unfolded. He was able to return the system to normal before any major damage occurred. But it is scary to think what could have happened if he were not so observant!

If you have not realized it yet, everything these days is connected to a computer, and in most cases is connected to the internet. This unfortunately means that systems or services that have computer and are tied to the internet are susceptible to something like what happened to the Bruce T. Haddock Water Treatment Plant.

The good news is there are ways to combat these bad guys! I have been lucky enough to learn from other’s mistakes throughout my life as well as my professional career. Now, as a Cybersecurity Consultant for Compass IT Compliance, I get to take the lessons learned from a situation like this and help others make sure these things do not happen to them.

Every system is hackable – it is just the truth. Our goal is to at least make it as difficult as possible to hack into your system. I equate it to someone trying to break into your car. You can lock the car, hide belongings inside so they are not visible, get an alarm, or a GPS tracking system to help reduce the likelihood that your car is broken into or stolen, or at least to make it harder for criminals to do so. And if your car is broken into or stolen, there is now a higher chance the criminal will get caught. But if you leave the window down or the door unlocked with expensive sunglasses on the dash, then you are an easy target. At least if the window is up and the door is locked, the criminal must put in a little effort.

It is no different with a computer-based system. When I say everything is hackable, I am not lying. It is just a matter of how hard it is and how long it will take. The bad guys may make a drive-by and attempt to hack into your system, but if you have security controls in place that make it hard on them, chances are your system and the information in it is safe and the attackers will move on to an easier target.

In the case of this water treatment plant, sorry to say, they made it easy for the hacker to get in. Let us explore what weaknesses existed to allow this to happen, and what controls would have helped to keep this from happening in the first place.

Vulnerabilities That Existed

  • No firewall
  • Unsupported operating system (Windows 7)
  • Shared password
  • Unused remote access software

The hacker used remote access software called TeamViewer. There is nothing wrong with this as it is a very popular and reputable software application. The problem is, it was reported that it had not been used in months and employees were not even aware it was still installed on the system. This is the dangerous part. Organizations should be inventorying what software is installed on all systems and reviewing this list regularly. Anything that is not supported, has been replaced, or is not needed anymore should be uninstalled. Furthermore, software should be limited to only those that have a business need for it. Giving it to everyone increases the risk that unauthorized or malicious activity will take place.

The use of shared passwords for the remote access software compounded the issue. There was a single password that worked for all instances of the TeamViewer application. This is another big no-no! All users should have their own unique username and strong password for system access. In addition, having multi-factor authentication (MFA) implemented is preferred. Password-related breaches are the most common type of hack. The use of a shared password not only increases this risk but also makes it easier to access other parts of the network.

Windows 7 still being in use as the operating system was just asking for trouble. Windows 7 became unsupported on Jan 14th, 2020, roughly 13 months before this occurred. Initial notification of unsupported status came far prior to that. There is no excuse to not have made this change. What does it mean to be unsupported? It means no more support from Microsoft, which also means no more security updates. So, for 13 months these devices went without any of the critical updates that are needed to keep these devices secure.

Honestly, there is a chance that the water treatment plant could have had all these other vulnerabilities that I discussed, and if they had a firewall in place this whole thing could have been avoided. A firewall will help to restrict unauthorized access as it is the first line of defense for your network. You can monitor the incoming and outgoing traffic based on rules that you set to determine what gets through and what gets blocked or flagged. The firewall acts as the primary gatekeeper for your system.

Like I said before, everything is hackable… but do not make it easy for attackers! There are industry best practice controls that will help guide you through what needs to be implemented to keep your system, your organization, and your data safe. Compass IT Compliance is here to help! Our team of highly experienced cybersecurity professionals have spent each day for the past decade assisting organizations that found themselves in similar vulnerable situations. We have a wide variety of solutions to help mitigate your cyber vulnerabilities and achieve compliance with various regulations and frameworks. Contact us today to speak to myself or a member of my team regarding your unique situation!

Contact Us

Get Email Notifications

No Comments Yet

Let us know what you think